Source: socprime.com – Author: Steven Edwards
When malware like the Kalambur backdoor leverages native tools like curl.exe to route traffic through TOR, defenders need visibility at the process and command-line level. But in tools like Microsoft Sentinel, queries for such activity—written in Kusto Query Language (KQL)—can quickly grow difficult to interpret.
That’s where Uncoder AI’s AI-generated Decision Tree delivers immediate value. It transforms complex, nested Sentinel queries into visual logic flows that analysts can read, explain, and act on—without reverse engineering line-by-line.
This Microsoft Sentinel query detects suspicious use of curl.exe with command-line arguments that suggest TOR proxy routing via:
These elements are commonly used to anonymize traffic or route it through the TOR network, evading conventional visibility.
Each condition builds logically upon the last, making it obvious when and why the detection fires. The AI-generated tree even visualizes these conditions in a flow diagram, helping analysts see the evaluation path from top to bottom.
With Uncoder AI’s decision tree, detection engineers gain real-time explainability, making it easier to:
A Microsoft Sentinel query!
The condition part of this query is:
```
where (NewProcessName endswith @'curl.exe' and (CommandLine contains @'socks5h://' or CommandLine contains @'socks5://' or CommandLine contains @'socks4a://') and CommandLine contains @'.onion')
```
Let's break down the decision tree for this condition:
1. **NewProcessName endswith @'curl.exe'**:
* Check if the `NewProcessName` field ends with the string `curl.exe`.
* If true, proceed to the next step.
2. **CommandLine contains specific SOCKS protocols**:
* Check if the `CommandLine` field contains any of the following strings:
+ `socks5h://`
+ `socks5://`
+ `socks4a://`
* If any of these conditions are true, proceed to the next step.
3. **CommandLine contains .onion**:
* Check if the `CommandLine` field contains the string `.onion`.
* If true, the entire condition is considered true.
The decision tree can be represented as follows:
```
+-------------------+
| NewProcessName |
| ends with curl.exe|
+-------------------+
|
|
v
+-------------------+
| CommandLine contains|| SOCKS protocols |
| (socks5h://, socks5://,|
| socks4a://) |
+-------------------+
|
|
v
+-------------------+
| CommandLine contains|
| .onion |
+-------------------+
|
|
v
+-------------------+
| Condition is TRUE |
+-------------------+
```
In summary, the condition will be true if all three steps are met:
1. The new process name is `curl.exe`.
2. The command line contains a specific SOCKS protocol.
3. The command line contains the string `.onion`.
This rule highlights a sophisticated tactic—abusing curl for anonymized communications. Uncoder AI turns that detection into something any analyst can understand, trust, and take action on.
Original Post URL: https://socprime.com/blog/detecting-covert-tor-access-in-microsoft-sentinel-with-uncoder-ais-decision-tree/
Category & Tags: Blog,SOC Prime Platform,AI-generated Decision Tree,Microsoft Sentinel,Uncoder AI – Blog,SOC Prime Platform,AI-generated Decision Tree,Microsoft Sentinel,Uncoder AI
Views: 5
